Aussie university gets hacker reputation

The University of NSW is gaining a reputation for excelling in training hackers. The university which just won the 2013 Cyber Security Challenge which involved competing in a non-stop 24-hour "capture the flag" contest, where they test the security of a fictitious company's IT systems, aiming to get the most points.

UNSW entered three groups of four students in the challenge, placing first, second and third. The winning group also won last year. Some members of the winning team have also come first in other Australian security challenges, such as the Ruxcon capture the flag contest held in Melbourne. The key appears to be Fionnbharr Davies who is the IT security lecturer and mentor to the UNSW students. Unlike many lecturers he works full-time at Azimuth Security, Davies co-lectures part-time alongside Brendan Hopper, 28, who works at the Commonwealth Bank as a penetration tester.

Many of their students have gone on to work at large security companies such as Stratsec and Securus Global, while some pupils are doing internships at the likes of Google. Although working in the security industry pays more than lecturing, Davies said he lectures because it is fun and his courses are different and practical. As a result a lot of people then immediately drop out of the course after the first or second week when they realise it's going to be a ton of work. Davies told the Aussie press he was shocked when he saw the way students at other universities were taught IT security.

They're all taught by these academics who have never hacked a thing in their life. The students are good, it's just the teachers who are pants, he said. More than 60 per cent of his course focused on projects, while the other 40 per cent was based on a "war game" challenge like the one held by Telstra and government agencies.

Students write rootkits, for Mac OS X, Android and Linux. Students can do them because they're intelligent and motivated. He said that to defend against hackers, you need to think like one, and go on the "offensive" rather than "defensive".